Palo Alto Networks disclosed a critical zero-day vulnerability on May 6, 2026, affecting its PAN-OS software, and evidence confirms active exploitation by a likely state-sponsored threat cluster already operating inside enterprise firewall infrastructure.
CVE-2026-0300 is a buffer overflow vulnerability residing in the User-ID™ Authentication Portal (also known as Captive Portal) service of Palo Alto Networks PAN-OS.
The flaw allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted network packets requiring no credentials or prior authentication.
The vulnerability does not affect Prisma Access, Cloud NGFW, or Panorama appliances. However, the risk escalates dramatically when the User-ID Authentication Portal is exposed to the public internet or untrusted network segments, a configuration common in organizations that have not followed Palo Alto Networks’ hardening best practices.
PAN-OS Zero-Day Exploited
Palo Alto Networks’ threat intelligence team, Unit 42, is actively tracking a threat cluster designated CL-STA-1132, assessed with high confidence as a state-sponsored actor that has weaponized CVE-2026-0300 in a carefully orchestrated, multi-week intrusion campaign.
The attack timeline reveals a disciplined, staged approach:
- April 9, 2026 – Initial unsuccessful exploitation attempts against a target PAN-OS device were recorded.
- Approximately April 16, 2026 – Attackers successfully achieved unauthenticated RCE. They injected shellcode into an nginx worker process, immediately initiating forensic countermeasures by clearing crash kernel messages, deleting nginx crash entries, and removing core dump files.
- Approximately April 20, 2026 – Attackers deployed multiple tools with root privileges and enumerated Active Directory using firewall service account credentials, targeting the domain root and DomainDnsZones objects.
- April 29, 2026 – A SAML flood attack was launched against the first compromised device, forcing a secondary firewall to assume Active status and inherit internet-facing traffic. The second device was then compromised via RCE, with Earthworm and ReverseSocks5 downloaded onto the host.
The attacker’s toolkit selection reveals a deliberate strategy to avoid detection through custom or signature-triggering malware.
Earthworm is an open-source, cross-platform network tunneling utility written in C. It functions as a SOCKS v5 server and port-forwarding tool, capable of establishing covert communication channels across restricted network boundaries.
Its capabilities map directly to MITRE ATT&CK techniques T1090 (Proxy) and T1572 (Protocol Tunneling), enabling forward and reverse SOCKS5 proxies, multi-hop cascaded tunnels, and the encapsulation of protocols such as RDP and SSH.
Notably, EarthWorm has previously been associated with threat actors Volt Typhoon, APT41, CL-STA-0046, and UAT-8337, a pattern consistent with Chinese state-sponsored cyber espionage operations.
ReverseSocks5 complements EarthWorm by establishing outbound connections from compromised hosts to attacker-controlled controllers, bypassing firewall rules and NAT restrictions.
Because the connection is initiated from inside the network, it evades perimeter-based detection. Both tools are publicly available, allowing the attackers to blend their tradecraft with legitimate administrative tooling.
The CL-STA-1132 campaign exemplifies a broader trend in nation-state cyber espionage: targeting edge-network infrastructure firewalls, routers, VPNs, and hypervisors that sit at the boundary between trusted and untrusted networks.
These devices typically lack endpoint detection agents and verbose logging found on standard workstations, resulting in far longer attacker dwell time before detection.
What makes this campaign especially sophisticated is its operational restraint. The attackers used non-persistent, intermittent interactive sessions over multiple weeks, intentionally staying below behavioral thresholds of automated alerting systems.
By abusing identity trust mechanisms, leveraging firewall service account credentials for AD enumeration rather than deploying noisy lateral movement tools, they minimized their network footprint while maximizing access depth.
Mitigation
Organizations running vulnerable PAN-OS versions should take immediate action:
- Restrict User-ID Authentication Portal access exclusively to trusted internal IP address ranges and disable Response Pages on internet-facing interfaces via the Interface Management Profile.
- Disable the User-ID Authentication Portal entirely if it is not operationally required.
- Enable Threat ID 510019 via the Applications and Threats content version 9097-10022 for customers with an Advanced Threat Prevention subscription. Note that PAN-OS 11.1 or later is required for decoder support.
- Deploy Cortex Xpanse to identify any exposed instances of the User-ID Authentication Portal visible to the internet.
- Advanced WildFire ML models have been updated with indicators tied to CL-STA-1132 activity, and Advanced URL Filtering and Advanced DNS Security now flag known malicious domains and URLs from this campaign.
Organizations that suspect a compromise or need urgent incident response support can contact Unit 42 directly at +1 (866) 486-4842 (North America) or through regional contact lines covering EMEA, APAC, India, and Japan.
FAQ
What is CVE-2026-0300?
It is a critical buffer overflow zero-day in Palo Alto Networks PAN-OS Captive Portal that allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls.
Which Palo Alto Networks products are affected by CVE-2026-0300?
PA-Series and VM-Series firewalls running vulnerable PAN-OS versions are affected, while Prisma Access, Cloud NGFW, and Panorama are not impacted.
Who is exploiting CVE-2026-0300?
Unit 42 is tracking CL-STA-1132, a likely state-sponsored threat cluster that exploited this vulnerability to achieve unauthenticated RCE and deploy open-source tunneling tools for network espionage.
How can organizations protect themselves from CVE-2026-0300?
Organizations should restrict or disable the User-ID Authentication Portal, enable Threat ID 510019 with Advanced Threat Prevention, and use Cortex Xpanse to identify any exposed portal instances.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
